Ocata Series Release Notes¶
15.1.28-10¶
Upgrade Notes¶
The default method for download roles has been switched from
galaxy
togit-clone
. This has no functional effect, but is now required in order to successfully download theceph-ansible
repository. In order to prevent clashes between the old and new roles, the existing/etc/ansible/roles/ceph*
folders should be removed prior to runningscripts/bootstrap-ansible.sh
during the minor upgrade process.
Bug Fixes¶
The
ceph-ansible
individual role repositories were all removed from github on around 16 January 2019, causing the bootstrap-ansible script to fail for any new deployments, or during upgrades for environments which had these roles previously. To replace them, theceph-ansible
git repository is used instead.
15.1.23¶
New Features¶
The variable
lxc_net_manage_iptables
has been added. This variable can be overridden by deployers if system wide iptables rules are already in place or managed by deployers chioce.
Known Issues¶
With the release of CentOS 7.5, all pike releases are broken due to a mismatch in version between the libvirt-python library specified by the OpenStack community, and the version provided in CentOS 7.5. As such OSA is unable build the appropriate python library for libvirt. The only recourse for this is to upgrade the environment to the latest queens release.
Deprecation Notes¶
The variable
nova_compute_pip_packages
is no longer used and has been removed.
Bug Fixes¶
In order to prevent further issues with a libvirt and python-libvirt version mismatch, KVM-based compute nodes will now use the distribution package python library for libvirt. This should resolve the issue seen with pike builds on CentOS 7.5.
15.1.22¶
Known Issues¶
All OSA releases earlier than 17.0.5, 16.0.4, and 15.1.22 will fail to build the rally venv due to the release of the new cmd2-0.9.0 python library. Deployers are encouraged to update to the latest OSA release which pins to an appropriate version which is compatible with python2.
Recently the spice-html5 git repository was entirely moved from
https://github.com/SPICE/spice-html5
tohttps://gitlab.freedesktop.org/spice/spice-html5
. This results in a failure in the git clone stage of therepo-build.yml
playbook for OSA ocata releases earlier than15.1.22
. To fix the issue, deployers may upgrade to the most recent release, or may implement the following override inuser_variables.yml
.nova_spicehtml5_git_repo: https://gitlab.freedesktop.org/spice/spice-html5.git
Upgrade Notes¶
The distribution package lookup and data output has been removed from the py_pkgs lookup so that the repo-build use of py_pkgs has reduced output and the lookup is purpose specific for python packages only.
Bug Fixes¶
Newer releases of CentOS ship a version of libnss that depends on the existance of /dev/random and /dev/urandom in the operating system in order to run. This causes a problem during the cache preparation process which runs inside chroot that does not contain this, resulting in errors with the following message:
error: Failed to initialize NSS library
This has been resolved by introducing a /dev/random and /dev/urandom inside the chroot-ed environment.
15.1.21¶
Known Issues¶
In the
lxc_hosts
role execution, we make use of the images produced on a daily basis by images.linuxcontainers.org. Recent changes in the way those images are produced have resulted in changes to the default/etc/resolve.conf
in that default image. As such, when executing the cache preparation it fails. For ocata releases prior to 15.1.21 the workaround to get past the error is to add the following to the/etc/openstack_deploy/user_variables.yml
file.lxc_cache_prep_pre_commands: "rm -f /etc/resolv.conf || true" lxc_cache_prep_post_commands: "ln -s ../run/resolvconf/resolv.conf /etc/resolv.conf -f"
15.1.20¶
New Features¶
When venvwithindex=True and ignorerequirements=True are both specified in tempest_git_install_fragments (as was previously the default), this results in tempest being installed from PyPI without any constraints being applied. This could result in the version of tempest being installed in the integrated build being different than the version being installed in the independent role tests. Going forward, we remove the tempest_git_* overrides in playbooks/defaults/repo_packages/openstack_testing.yml so that the integrated build installs tempest from PyPI, but with appropriate constraints applied.
15.1.17¶
Known Issues¶
For all ocata releases up to 15.1.16 when executing the os-nova-install.yml playbook the
nova-novncproxy
andnova-spicehtml5proxy
services will fail. The workaround to resolve this issue is to restart the services.cd /opt/rpc-openstack/openstack-ansible/playbooks # start the service again # replace nova-novncproxy with nova-spicehtml5proxy when appropriate ansible nova_console -m service -a 'name=nova-novncproxy state=restarted' # set the appropriate facts to prevent the playbook trying # to reload it again when the playbook is run again ansible nova_console -m ini_file -a 'dest=/etc/ansible/facts.d/openstack_ansible.fact section=nova option=need_service_restart value=False'
This issue has been resolved in the 15.1.17 release.
Other Notes¶
The max_fail_percentage playbook option has been used with the default playbooks since the first release of the playbooks back in Icehouse. While the intention was to allow large-scale deployments to succeed in cases where a single node fails due to transient issues, this option has produced more problems that it solves. If a failure occurs that is transient in nature but is under the set failure percentage the playbook will report a success, which can cause silent failures depending on where the failure happened. If a deployer finds themselves in this situation the problems are are then compounded because the tools will report there are no known issues. To ensure deployers have the best deployment experience and the most accurate information a change has been made to remove the max_fail_percentage option from all of the default playbooks. The removal of this option has the side effect of requiring the deploy to skip specific hosts should one need to be omitted from a run, but has the benefit of eliminating silent, hard to track down, failures. To skip a failing host for a given playbook run use the –limit ‘!$HOSTNAME’ CLI switch for the specific run. Once the issues have been resolved for the failing host rerun the specific playbook without the –limit option to ensure everything is in sync.
15.1.16¶
Known Issues¶
For all ocata releases prior to OpenStack-Ansible 15.1.16, several of the magnum requirements were not constrained. This resulted in the kubernetes version changing over time unexpectedly, rather than by intention. Most recently this lack of constraint causes the repo build to fail when trying to build the magnum venv due to incompatible requirements.
The kubernetes version deployed with ocata is now constrained to version 2.0.0, matching the same version as deployed in all pike releases.
All the ocata versions 15.1.15 and before use mariadb-server 10.1 with no minor version frozen. The latest version, 10.1.31, has presented problems with the state transfer for multi-node environments when the variable
galera_wsrep_sst_method
is set toxtrabackup-v2
(the default value). This causes a new cluster to fail, or an existing cluster to be unable to transfer state when a node is rebooted.To work around this issue, the recommendation is to set the following overrides in
/etc/openstack_deploy/user_variables.yml
to ensure that the last known good version of MariaDB is used.From 15.1.16 onwards, these values are set as defaults and will be updated from time to time after verifying that the new versions work. As such, setting these overrides is not required for 15.1.16 onwards.
# Use these values for Ubuntu galera_repo_url: https://downloads.mariadb.com/MariaDB/mariadb-10.1.30/repo/ubuntu galera_client_repo_url: "{{ galera_repo_url }}" # Use these overrides for CentOS/RHEL: galera_repo_url: https://downloads.mariadb.com/MariaDB/mariadb-10.1.30/yum/centos7-amd64/ galera_client_repo_url: "{{ galera_repo_url }}" # Use these values for SuSE galera_repo_url: https://downloads.mariadb.com/MariaDB/mariadb-10.1.30/yum/opensuse42-amd64 galera_client_repo_url: "{{ galera_repo_url }}"
The problem has been registered upstream and progresson the issue can be followed there: https://jira.mariadb.org/browse/MDEV-15254
15.1.15¶
New Features¶
HAProxy services that use backend nodes that are not in the Ansible inventory can now be specified manually by setting
haproxy_backend_nodes
to a list ofname
andip_addr
settings.
15.1.14¶
New Features¶
The galera cluster now supports cluster health checks over HTTP using port 9200. The new cluster check ensures a node is healthy by running a simple query against the wsrep sync status using monitoring user. This change will provide for a more robust cluster check ensuring we have the most fault tolerant galera cluster possible.
Galera healthcheck has been improved, and relies on an xinetd service. By default, the service is unaccessible (filtered with the no_access directive). You can override the directive by setting any xinetd valid value to
galera_monitoring_allowed_source
.
15.1.13¶
Deprecation Notes¶
The
gnocchi_keystone_auth_plugin
variable has been deprecated.gnocchi_keystone_auth_type
should be used instead to configure authentication type.
15.1.12¶
Known Issues¶
If the protocol of either the keystone admin or internal endpoints is ‘https’ and SSL is being terminated at a load balancer, tasks which verify that services are responsive and perform the initial service setup through through the keystone hosts’ web server ports may fail.
Set
keystone_mod_wsgi_enabled
tofalse
to deploy Keystone under Uwsgi and allow the web server to be bypassed during these tasks.See Launchpad Bug 1699191 for more details.
15.1.11¶
Bug Fixes¶
The
sysstat
package was installed on all distributions, but it was only configured to run on Ubuntu and OpenSUSE. It would not run on CentOS due to bad SELinux contexts and file permissions on/etc/cron.d/sysstat
. This has been fixed andsysstat
now runs properly on CentOS.
15.1.10¶
New Features¶
Extra headers can be added to Keystone responses by adding items to
keystone_extra_headers
. Example:keystone_extra_headers: - parameter: "Access-Control-Expose-Headers" value: "X-Subject-Token" - parameter: "Access-Control-Allow-Headers" value: "Content-Type, X-Auth-Token" - parameter: "Access-Control-Allow-Origin" value: "*"
The default ulimit for RabbitMQ is now 65536. Deployers can still adjust this limit using the
rabbitmq_ulimit
Ansible variable.
Security Issues¶
The
net.bridge.bridge-nf-call-*
kernel parameters were set to0
in previous releases to improve performance and it was left up to neutron to adjust these parameters when security groups are applied. This could cause situations where bridge traffic was not sent through iptables and this rendered security groups ineffective. This could allow unexpected ingress and egress traffic within the cloud.These kernel parameters are now set to
1
on all hosts by theopenstack_hosts
role, which ensures that bridge traffic is always sent through iptables.
Bug Fixes¶
The sysctl configuration task was not skipping configurations where
enabled
was set tono
. Instead, it was removing configurations whenenabled: no
was set.There is now a fix in place that ensures any sysctl configuration with
enabled: no
will be skipped and the configuration will be left unaltered on the system.
15.1.9¶
New Features¶
The config_template template module now supports writing out valueless INI options without suffixing them with ‘=’ or ‘:’. This is done via the ‘ignore_none_type’ attribute. If ignore_none_type is set to true, these key/value entries will be ignored, if it’s set to false, then ConfigTemplateParser will write out only the option name without the ‘=’ or ‘:’ suffix. The default is true.
Upgrade Notes¶
The following variables have been removed from the
haproxy_server
role as they are no longer necessary or used. - haproxy_repo - haproxy_gpg_keys - haproxy_required_distro_packages
Security Issues¶
PermitRootLogin
in the ssh configuration has changed fromyes
towithout-password
. This will only allow ssh to be used to authenticate root via a key.
Bug Fixes¶
In Ubuntu the
dnsmasq
package actually includes init scripts and service configuration which conflict with LXC and are best not included. The actual dependent package isdnsmasq-base
. The package list has been adjusted and a task added to remove thednsmasq
package and purge the related configuration files from all LXC hosts.
Mysql cnf files can now be properly overridden. The config_template module has been extended to support valueless options, such as those that are found in the my.cnf file(i.e. quick under the mysqldump section). To use valueless options, use the ignore_none_type attribute of the config_template module.
15.1.8¶
New Features¶
The
os_nova
role now provides for doing online data migrations once the db sync has been completed. The data migrations will not be executed until the boolean variablenova_all_software_updated
is true. This variable will need to be set by the playbook consuming the role.
15.1.7¶
New Features¶
The os_swift role now supports the swift3 middleware, allowing access to swift via the Amazon S3 API. This feature can enabled by setting
swift_swift3_enabled
totrue
.
The
os_cinder
role now provides for doing online data migrations once the db sync has been completed. The data migrations will not be executed until the boolean variablecinder_all_software_updated
is true. This variable will need to be set by the playbook consuming the role.
A new repository for installing modern erlang from ESL (erlang solutions) has been added giving us the ability to install and support modern stable erlang over numerous operating systems.
The ability to set the RabbitMQ repo URL for both erlang and RabbitMQ itself has been added. This has been done to allow deployers to define the location of a given repo without having to fully redefine the entire set of definitions for a specific repository. The default variables rabbitmq_gpg_keys, rabbitmq_repo_url, and rabbitmq_erlang_repo_url have been created to facilitate this capability.
It’s now possible to disable heat stack password field in horizon.
horizon_enable_heatstack_user_pass
variable has been added and default to True.
The
os-nova-install.yml
playbook will now execute a rolling upgrade of nova including database migrations as per the procedure described in the nova documentation.
Known Issues¶
MemcacheD sets PrivateDevices=true in its systemd unit file to add extra security around mount namespaces. While this is useful when running MemcacheD on a bare metal host with other services, it is less useful when MemcacheD is already in a container with its own namespaces. In addition, LXC 2.0.8 presents /dev/ptmx as a bind mount within the container and systemd 219 (on CentOS 7) cannot make an additional bind mount of /dev/ptmx when PrivateDevices is enabled.
Deployers can memcached_disable_privatedevices to yes to set PrivateDevices=false in the systemd unit file for MariaDB on CentOS 7. The default is no, which keeps the default systemd unit file settings from the MemcacheD package.
For additional information, refer to the following bugs:
MariaDB 10.1+ includes PrivateDevices=true in its systemd unit files to add extra security around mount namespaces for MariaDB. While this is useful when running MariaDB on a bare metal host with other services, it is less useful when MariaDB is already in a container with its own namespaces. In addition, LXC 2.0.8 presents /dev/ptmx as a bind mount within the container and systemd 219 (on CentOS 7) cannot make an additional bind mount of /dev/ptmx when PrivateDevices is enabled.
Deployers can galera_disable_privatedevices to yes to set PrivateDevices=false in the systemd unit file for MariaDB on CentOS 7. The default is no, which keeps the default systemd unit file settings from the MariaDB package.
For additional information, refer to the following bugs:
Upgrade Notes¶
Changing to the ESL repos has no upgrade impact. The version of erlang provided by ESL is newer than that what is found in the distro repos. Furthermore, a pin has been added to ensure that APT always uses the ESL repos as it’s preferred source which has been done to simply ensure APT is always pointed at ESL.
The entire repo build process is now idempotent. From now on when the repo build is re-run, it will only fetch updated git repositories and rebuild the wheels/venvs if the requirements have changed, or a new release is being deployed.
The git clone part of the repo build process now only happens when the requirements change. A git reclone can be forced by using the boolean variable
repo_build_git_reclone
.
The python wheel build process now only happens when requirements change. A wheel rebuild may be forced by using the boolean variable
repo_build_wheel_rebuild
.
The python venv build process now only happens when requirements change. A venv rebuild may be forced by using the boolean variable
repo_build_venv_rebuild
.
The repo build process now only has the following tags, providing a clear path for each deliverable. The tag
repo-build-install
completes the installation of required packages. The tagrepo-build-wheels
completes the wheel build process. The tagrepo-build-venvs
completes the venv build process. Finally, the tagrepo-build-index
completes the manifest preparation and indexing of the os-releases and links folders.
Bug Fixes¶
Based on documentation from RabbitMQ [ https://www.rabbitmq.com/which-erlang.html ] this change ensures the version of erlang we’re using across distros is consistent and supported by RabbitMQ.
15.1.6¶
New Features¶
The
os-cinder-install.yml
playbook will now execute a rolling upgrade of cinder including database migrations (both schema and online) as per the procedure described in the cinder documentation. When haproxy is used as the load balancer, the backend being changed will be drained before changes are made, then added back to the pool once the changes are complete.
The
horizon_images_allow_location
variable is added to support theIMAGES_ALLOW_LOCATION
setting in the horizon_local_settings.py file to allow to specify and external location during the image creation.
The
os-neutron-install.yml
playbook will now execute a rolling upgrade of neutron including database migrations (both expand and contract) as per the procedure described in the neutron documentation.
Known Issues¶
OpenStack-Ansible sets a new variable, galera_disable_privatedevices, that controls whether the PrivateDevices configuration in MariaDB’s systemd unit file is enabled.
If the galera_server role is deployed on a bare metal host, the MariaDB default is maintained (PrivateDevices=true). If the galera_server role is deployed within a container, the PrivateDevices configuration is set to true to work around a systemd bug with a bind mounted /dev/ptmx.
See Launchpad Bug 1697531 for more details.
OpenStack-Ansible sets a new variable, memcached_disable_privatedevices, that controls whether the PrivateDevices configuration in MemcacheD’s systemd unit file is enabled.
If the memcached_server role is deployed on a bare metal host, the default is maintained (PrivateDevices=true). If the role is deployed within a container, the PrivateDevices configuration is set to true to work around a systemd bug with a bind mounted /dev/ptmx.
See Launchpad Bug 1697531 for more details.
15.1.5¶
New Features¶
The
os_ceilometer
role now includes a facility where you can place your own templates in/etc/openstack_deploy/ceilometer
(by default) and it will be deployed to the target host after being interpreted by the template engine. If no file is found there, the fallback of the git sourced template is used.
For the
os_designate
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thedesignate_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
The
os_gnocchi
role now includes a facility where you can place your own defaultapi-paste.ini
orpolicy.json
file in/etc/openstack_deploy/gnocchi
(by default) and it will be deployed to the target host after being interpreted by the template engine.
The new option haproxy_backend_arguments can be utilized to add arbitrary options to a HAProxy backend like tcp-check or http-check.
The ability to disable the certificate validation when checking and interacting with the internal cinder endpoint has been implemented. In order to do so, set the following in
/etc/openstack_deploy/user_variables.yml
.cinder_service_internaluri_insecure: yes
Upgrade Notes¶
For the
os_designate
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thedesignate_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
The endpoint which designate uses to communicate with neutron has been set to the internalURL by default. This change has been done within the template
designate.conf.j2
and can be changed using thedesignate_designate_conf_overrides
variable.
The magnum client interaction will now make use of the public endpoints by default. Previously this was set to use internal endpoints.
The keystone endpoints for instances spawned by magnum will now be provided with the public endpoints by default. Previously this was set to use internal endpoints.
Deprecation Notes¶
The variable
keepalived_uca_enable
is deprecated, and replaced bykeepalived_ubuntu_src
. Thekeepalived_uca_enable
variable will be removed in future versions of the keepalived role. The value ofkeepalived_ubuntu_src
should be either “uca”, “ppa”, or “native”, for respectively installing from the Ubuntu Cloud archive, from keepalived stable ppa, or not installing from an external source.
The variable
keepalived_use_latest_stable
is deprecated, and replaced bykeepalived_package_state
. Thekeepalived_use_latest_stable
variable will be removed in future versions of the keepalived role. The value ofkeepalived_package_state
should be either “latest” or “present”.
The upstream noVNC developers recommend that the keymap be automatically detected for virtual machine consoles. The defaults for three Ansible variables have been removed:
nova_console_keymap
nova_novncproxy_vnc_keymap
nova_spice_console_keymap
The
nova.conf
template still includes these variables and it sets the keymap configuration option. Deployers who have customized this setting will not see a change in theirnova.conf
.
Security Issues¶
The magnum client interaction will now make use of the public endpoints by default. Previously this was set to use internal endpoints.
The keystone endpoints for instances spawned by magnum will now be provided with the public endpoints by default. Previously this was set to use internal endpoints.
15.1.4¶
New Features¶
New variables have been added to allow a deployer to customize a designate systemd unit file to their liking.
The task dropping the designate systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
Bug Fixes¶
Upgrading from Newton to Ocata will now correctly add existing Nova instances to the
nova_cell1_name
cell. For more information see bug 1682169.
Upstream is now depending on version 2.1.0 of ldappool.
15.1.3¶
New Features¶
New variables have been added to allow a deployer to customize a aodh systemd unit file to their liking.
The task dropping the aodh systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_aodh
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using theaodh_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_barbican
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thebarbican_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
New variables have been added to allow a deployer to customize a ceilometer systemd unit file to their liking.
The task dropping the ceilometer systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_ceilometer
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using theceilometer_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
New variables have been added to allow a deployer to customize a cinder systemd unit file to their liking.
The task dropping the cinder systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
New variables have been added to allow a deployer to customize a glance systemd unit file to their liking.
The task dropping the glance systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_glance
role, the systemd unitRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. This value can be adjusted by using theglance_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
New variables have been added to allow a deployer to customize a gnocchi systemd unit file to their liking.
The task dropping the gnocchi systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_gnocchi
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thegnocchi_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
New variables have been added to allow a deployer to customize a heat systemd unit file to their liking.
The task dropping the heat systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_heat
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using theheat_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
New variables have been added to allow a deployer to customize a ironic systemd unit file to their liking.
The task dropping the ironic systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_ironic
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using theironic_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
New variables have been added to allow a deployer to customize a keystone systemd unit file to their liking.
The task dropping the keystone systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_keystone
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thekeystone_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
New variables have been added to allow a deployer to customize a magnum systemd unit file to their liking.
The task dropping the magnum systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_magnum
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using themagnum_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
New variables have been added to allow a deployer to customize a neutron systemd unit file to their liking.
The task dropping the neutron systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_neutron
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using theneutron_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
New variables have been added to allow a deployer to customize a nova systemd unit file to their liking.
The task dropping the nova systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_nova
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thenova_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
In the Ocata release, Trove added support for encrypting the rpc communication between the guest DBaaS instances and the control plane. The default values for
trove_taskmanager_rpc_encr_key
andtrove_inst_rpc_key_encr_key
should be overridden to specify installation specific values.
New variables have been added to allow a deployer to customize a sahara systemd unit file to their liking.
The task dropping the sahara systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_sahara
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thesahara_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
New variables have been added to allow a deployer to customize a swift systemd unit file to their liking.
The task dropping the swift systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
New variables have been added to allow a deployer to customize a trove systemd unit file to their liking.
The task dropping the trove systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_trove
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thetrove_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
Upgrade Notes¶
For the
os_aodh
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using theaodh_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_barbican
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thebarbican_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_ceilometer
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using theceilometer_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_glance
role, the systemd unitRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. This value can be adjusted by using theglance_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_gnocchi
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thegnocchi_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_heat
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using theheat_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_ironic
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using theironic_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_keystone
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thekeystone_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_magnum
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using themagnum_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_neutron
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using theneutron_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_nova
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thenova_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_sahara
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thesahara_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
For the
os_trove
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thetrove_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
15.1.2¶
New Features¶
A variable named
bootstrap_user_variables_template
has been added to the bootstrap-host role so the user can define the user variable template filename for AIO deployments
Implements SSL connection ability to MySQL.
galera_use_ssl
option has to be set totrue
(default), in this case playbooks create self-signed SSL bundle and sets up MySQL configs to use it or distributes user-provided bundle throughout Galera nodes.
Removed dependency for
cinder_backends_rbd_inuse
in nova.conf when settingrbd_user
andrbd_secret_uuid
variables. Cinder delivers all necessary values via RPC when attaching the volume, so those variables are only necessary for ephemeral disks stored in Ceph. These variables are required to be set up on cinder-volume side under backend section.
Critical Issues¶
A bug that caused the Keystone credential keys to be lost when the playbook is run during a rebuild of the first Keystone container has been fixed. Please see launchpad bug 1667960 for more details.
Bug Fixes¶
Nova features that use libguestfs (libvirt password/key injection) now work on compute hosts running Ubuntu. When Nova is deployed to Ubuntu compute hosts and either
nova_libvirt_inject_key
ornova_libvirt_inject_password
are set to True, then kernels stored in /boot/vmlinuz-* will be made readable to nova user. See launchpad bug 1507915.
15.1.1¶
New Features¶
Capping the default value for the variable
swift_proxy_server_workers
to 16 when the user doesn’t configure this variable and if the swift proxy is in a container. Default value is half the number of vCPUs available on the machine if the swift proxy is not in a container. Default value is half the number of vCPUs available on the machine with a capping value of 16 if the proxy is in a container.
Add support for the cinder v3 api. This is enabled by default, but can be disabled by setting the
cinder_enable_v3_api
variable tofalse
.
For the
os_cinder
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thecinder_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
Haproxy-server role allows to set up tunable parameters. For doing that it is necessary to set up a dictionary of options in the config files, mentioning those which have to be changed (defaults for the remaining ones are programmed in the template). Also “maxconn” global option made to be tunable.
Deprecation Notes¶
The variables
cinder_sigkill_timeout
andcinder_restart_wait
have been deprecated and will be removed in Pike.
Bug Fixes¶
The openstack service uri protocol variables were not being used to set the Trove specific uris. This resulted in ‘http’ always being used for the public, admin and internal uris even when ‘https’ was intended.
15.1.0¶
New Features¶
Capping the default value for the variable
aodh_wsgi_processes
to 16 when the user doesn’t configure this variable. Default value is twice the number of vCPUs available on the machine with a capping value of 16.
Capping the default value for the variable
gnocchi_wsgi_processes
to 16 when the user doesn’t configure this variable. Default value is twice the number of vCPUs available on the machine with a capping value of 16.
Capping the default value for the variable
ironic_wsgi_processes
to 16 when the user doesn’t configure this variable. Default value is one fourth the number of vCPUs available on the machine with a capping value of 16.
Capping the default value for the variable
sahara_api_workers
to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.
Tags have been added to all of the common tags with the prefix “common-”. This has been done to allow a deployer to rapidly run any of the common on a need basis without having to rerun an entire playbook.
The COPR repository for installing LXC on CentOS 7 is now set to a higher priority than the default to ensure that LXC packages always come from the COPR repository.
The
galera_client
role will default to using thegalera_repo_url
URL if the value for it is set. This simplifies using an alternative mirror for the MariaDB server and client as only one variable needs to be set to cover them both.
The default behaviour of
ensure_endpoint
in the keystone module has changed to update an existing endpoint, if one exists that matches the service name, type, region and interface. This ensures that no duplicate service entries can exist per region.
The repo server file system structure has been updated to allow for multiple Operating systems running multiple architectures to be run at the same time and served from a single server without impacting pools, venvs, wheel archives, and manifests. The new structure follows the following pattern $RELEASE/$OS_TYPE-$ARCH and has been applied to os-releases, venvs, and pools.
The deployer can now define an environment variable
GROUP_VARS_PATH
with the folders of its choice (separated by the colon sign) to define an user space group_vars folder. These vars will apply but be (currently) overriden by the OpenStack-Ansible default group vars, by the set facts, and by the user_* variables. If the deployer defines multiple paths, the variables found are merged, and precedence is increasing from left to right (the last defined in GROUP_VARS_PATH wins)
The deployer can now define an environment variable
HOST_VARS_PATH
with the folders of its choice (separated by the colon sign) to define an user space host_vars folder. These vars will apply but be (currently) overriden by the OpenStack-Ansible default host vars, by the set facts, and by the user_* variables. If the deployer defines multiple paths, the variables found are merged, and precedence is increasing from left to right (the last defined in HOST_VARS_PATH wins)
Known Issues¶
There is currently an Ansible bug in regards to
HOSTNAME
. If the host.bashrc
holds a var namedHOSTNAME
, the container where thelxc_container
module attaches will inherit this var and potentially set the wrong$HOSTNAME
. See the Ansible fix which will be released in Ansible version 2.3.
Upgrade Notes¶
The repo server file system structure has been updated to allow for multiple Operating systems running multiple architectures to be run at the same time and served from a single server without impacting pools, venvs, wheel archives, and manifests. The new structure follows the following pattern $RELEASE/$OS_TYPE-$ARCH and has been applied to os-releases, venvs, and pools.
The EPEL repository is now removed in favor of the RDO repository.
This is a breaking change for existing CentOS deployments. The
yum
package manager will have errors when it finds that certain packages that it installed from EPEL are no longer available. Deployers may need to rebuild container or reinstall packages to complete this change.
The
openstack_tempest_gate.sh
script has been removed as it requires the use of therun_tempest.sh
script which has been deprecated in Tempest. In order to facilitate the switch, the default for the variabletempest_run
has been set toyes
, forcing the role to execute tempest by default. This default can be changed by overriding the value tono
. The test whitelist may be set through the list variabletempest_test_whitelist
.
Deprecation Notes¶
The variables
galera_client_apt_repo_url
andgalera_client_yum_repo_url
are deprecated in favour of the common variablegalera_client_repo_url
.
The
update
state for theensure_endpoint
method of thekeystone
module is now deprecated, and will be removed in the Queens cycle. Setting state topresent
will achieve the same result.
Security Issues¶
The security role will no longer fix file permissions and ownership based on the contents of the RPM database by default. Deployers can opt in for these changes by setting
security_reset_perm_ownership
toyes
.
The tasks that search for
.shosts
andshosts.equiv
files (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a long time to complete on systems with lots of files and it also causes a significant amount of disk I/O while it runs.
Other Notes¶
The keepalived role was updated, and now includes an optional way to configure vrrp scripts timeouts. See also: VRRP timeout PR on keepalived role.
15.0.0¶
Prelude¶
Functionality to support Ubuntu Trusty (14.04) has been removed from the code base.
New Features¶
CentOS7/RHEL support has been added to the ceph_client role.
Only Ceph repos are supported for now.
There is now experimental support to deploy OpenStack-Ansible on CentOS 7 for both development and test environments.
Experimental support has been added to allow the deployment of the OpenStack Designate service when hosts are present in the host group
dnsaas_hosts
.
Support has been added for the horizon designate-ui dashboard. The dashboard will be automatically enabled if any hosts are in the
dnsaas_hosts
inventory group.
The os_horizon role now has support for the horizon designate-ui dashboard. The dashboard may be enabled by setting
horizon_enable_designate_ui
toTrue
in/etc/openstack_deploy/user_variables.yml
.
Support has been added for the horizon trove-ui dashboard. The dashboard will be automatically enabled if any hosts are defined in the
trove-infra_hosts
inventory group.
Deployers can now define the override
cinder_rpc_executor_thread_pool_size
which defaults to 64
Deployers can now define the override
cinder_rpc_response_timeout
which defaults to 60
Experimental support has been added to allow the deployment of the OpenStack trove service when hosts are present in the host group
trove-infra_hosts
.
It is now possible to customise the location of the configuration file source for the All-In-One (AIO) bootstrap process using the
bootstrap_host_aio_config_path
variable.
It is now possible to customise the location of the scripts used in the All-In-One (AIO) boostrap process using the
bootstrap_host_aio_script_path
variable.
It is now possible to customise the name of the
user_variables.yml
file created by the All-In-One (AIO) bootstrap process using thebootstrap_host_user_variables_filename
variable.
It is now possible to customise the name of the
user_secrets.yml
file created by the All-In-One (AIO) bootstrap process using thebootstrap_host_user_secrets_filename
variable.
The filename of the apt source for the ubuntu cloud archive can now be defined with the variable
uca_apt_source_list_filename
.
The filename of the apt source for the ubuntu cloud archive used in ceph client can now be defined by giving a filename in the uca part of the dict
ceph_apt_repos
.
The filename of the apt source for the ubuntu cloud archive can now be defined with the variable
uca_apt_source_list_filename
.
The filename of the apt/yum source can now be defined with the variable
mariadb_repo_filename
.
The filename of the apt source can now be defined with the variable
filename
inside the dictsgalera_repo
andgalera_percona_xtrabackup_repo
.
The filename of the apt source for the ubuntu cloud archive can now be defined with the variable
uca_apt_source_list_filename
.
Support has been added to allow the deployment of the OpenStack barbican service when hosts are present in the host group
key-manager_hosts
.
The number of worker threads for neutron will now be capped at 16 unless a specific value is specified. Previously, the calculated number of workers could get too high on systems with a large number of processors. This was particularly evident on POWER systems.
Capping the default value for the variables
ceilometer_api_workers
andceilometer_notification_workers
to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.
Capping the default value for the variable
cinder_osapi_volume_workers
to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.
Capping the default value for the variable
galera_wsrep_slave_threads
to 16 when the user doesn’t configure this variable. Default value is the number of vCPUs available on the machine with a capping value of 16.
Capping the default value for the variable
galera_max_connections
to 1600 when the user doesn’t configure this variable. Default value is 100 times the number of vCPUs available on the machine with a capping value of 1600.
Capping the default value for the variables
glance_api_workers
andglance_registry_workers
to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.
Capping the default value for the variables
heat_api_workers
andheat_engine_workers
to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.
Capping the default value for the variables
horizon_wsgi_processes
andhorizon_wsgi_threads
to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.
Capping the default value for the variable
keystone_wsgi_processes
to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.
Capping the default value for the variables
neutron_api_workers
,neutron_num_sync_threads
andneutron_metadata_workers
to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.
Capping the default value for the variables
nova_wsgi_processes
,nova_osapi_compute_workers
,nova_metadata_workers
andnova_conductor_workers
to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.
Capping the default value for the variable
repo_nginx_workers
to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.
The ceilometer configuration files other than
ceilometer.conf
are now retrieved from upstream. You can override the repository from which these are retrieved by setting theceilometer_git_config_lookup_location
variable which defaults to the git.openstack.org.
Several configuration files that were not templated for the
os_ceilometer
role are now retrieved from git. The git repository used can be changed using theceilometer_git_config_lookup_location
variable. By default this points togit.openstack.org
. These files can still be changed using theceilometer_x_overrides
variables.
Playbooks for ceph-ansible have been added to facilitate gate testing of the OpenStack-Ansible integration with Ceph clusters, and can be used to integrate the two projects so that OpenStack-Ansible can deploy and consume its own Ceph installation using ceph-ansible. This should be considered an experimental integration until further testing is been completed by deployers and the OpenStack-Ansible gate to fine tune its stability and completeness. The ceph-install playbook can be activated by adding hosts to the
ceph-mon_hosts
andceph-osd_hosts
in the OSA inventory. A variety of ceph-ansible specific variables will likely need to be configured inuser_variables.yml
to configure ceph-ansible for your environment. Please reference the ceph-ansible repo for a list of variables the project supports.
The installation of
chrony
is still enabled by default, but it is now controlled by thesecurity_enable_chrony
variable.
Deployers can set
heat_cinder_backups_enabled
to enable or disable the cinder backups feature in heat. If heat has cinder backups enabled, but cinder’s backup service is disabled, newly built stacks will be undeletable.The
heat_cinder_backups_enabled
variable is set tofalse
by default.
A new switch
pip_install_build_packages
is introduced to allow toggling compiler and development library installation. The legacy behavior of installing the compiler and development libraries is maintained as the switch is enabled by default.
Deployers can set
openstack_host_nf_conntrack_max
to control the maximum size of the netfilter connection tracking table. The default of262144
should be increased if virtual machines will be handling large amounts of concurrent connections.
LXC containers will now generate a fixed mac address on all network interfaces when the option lxc_container_fixed_mac is set to true. This feature was implemented to resolve issues with dynamic mac addresses in containers generally experienced at scale with network intensive services.
The
os-designate
role now supports Ubuntu 16.04 and SystemD.
The Designate pools.yaml file can now be generated via the designate_pools_yaml attribute, if desired. This allows users to populate the Designate DNS server configuration using attributes from other plays and obviates the need to manage the file outside of the Designate role.
The
rabbitmq_server
role now supports disabling listeners that do not use TLS. Deployers can override therabbitmq_disable_non_tls_listeners
variable, setting a value ofTrue
if they wish to enable this feature.
Neutron DHCP options have been set to allow a DHCP server running dnsmasq to coexist with other DHCP servers within the same network. This works by instructing dnsmasq to ignore any clients which are not specified in dhcp-host files.
Neutron DHCP options have been set to provide for logging which makes debugging DHCP and connectivity issues easier by default.
Variable
ceph_extra_confs
has been expanded to support retrieving additional ceph.conf and keyrings from multiple ceph clusters automatically.
Additional libvirt ceph client secrets can be defined to support attaching volumes from different ceph clusters.
Additional volume-types can be created by defining a list named
extra_volume_types
in the desired backend of the variable(s)cinder_backends
Container boot ordering has been implemented on container types where it would be beneficial. This change ensures that stateful systems running within a container are started ahead of non-stateful systems. While this change has no impact on a running deployment it will assist with faster recovery should any node hosting container go down or simply need to be restarted.
A new task has been added to the “os-lxc-container-setup.yml” common-tasks file. This new task will allow for additional configurations to be added without having to restart the container. This change is helpful in cases where non-impacting config needs to be added or updated to a running containers.
The
galera_client_package_install
option can now be specified to handle whether packages are installed as a result of theopenstack-ansible-galera_client
role running. This will default totrue
, but can be set tofalse
to prevent package installs. This is useful when deploying themy.cnf
client configuration file on hosts that already have Galera installed.
You can specify the
galera_package_arch
variable to force a specific architecture when installing percona and qpress packages. This will be automatically calculated based on the architecture of thegalera_server
host. Acceptable values arex86_64
forUbuntu-16.04
andRHEL 7
, andppc64le
forUbuntu-16.04
.
Add
get_networks
command to the neutron library. This will return network information for all networks, and fail if the specifiednet_name
network is not present. If nonet_name
is specified network information will for all networks will be returned without performing a check on an existingnet_name
network.
Set the
glance_swift_store_auth_insecure
variable to override theswift_store_auth_inscure
value in/etc/glance/glance-api.conf
. Set this value when using an external Swift store that does not have the sameinsecure
setting as the local Keystone.
Specify the
gnocchi_auth_mode
var to set theauth_mode
for gnocchi. This defaults tobasic
which has changed fromnoauth
to match upstream. Ifgnocchi_keystone_auth
istrue
oryes
this value will default tokeystone
.
Specify the
gnocchi_git_config_lookup_location
value to specify the git repository where thegnocchi
config files can be retrieved. Theapi-paste.ini
andpolicy.json
files are now retrieved from the specified git repository and are not carried in theos_gnocchi
role.
Several configuration files that were not templated for the
os_gnocchi` role are now retrieved from git. The git repository used can be changed using the ``gnocchi_git_config_lookup_location
variable. By default this points togit.openstack.org
. These files can still be changed using thegnocchi_x_overrides
variables.
If the cinder backup service is enabled with
cinder_service_backup_program_enabled: True
, then heat will be configured to use the cinder backup service. Theheat_cinder_backups_enabled
variable will automatically be set toTrue
.
It’s now possible to change the behavior of
DISALLOW_IFRAME_EMBED
by defining the variablehorizon_disallow_iframe_embed
in the user variables.
The
--check
parameter fordynamic_inventory.py
will now raise warnings if there are any groups defined in the user configuration that are not also found in the environment definition.
Add support for
neutron
as anenabled_network_interface
.
The
ironic_neutron_provisioning_network_name
andironic_neutron_cleaning_network_name
variable can be set to the name of the neutron network to use for provisioning and cleaning. The ansible tasks will determine the appropriate UUID for that network. Alternatively,ironic_neutron_provisioning_network_uuid
orironic_neutron_cleaning_network
can be used to directly specify the UUID of the networks. If bothironic_neutron_provisioning_network_name
andironic_neutron_provisioning_network_uuid
are specified, the specified UUID will be used. If only the provisioning network is specified, the cleaning network will default to the same network.
Added support for ironic-OneView drivers. Check the documentation on how to enable them.
When using a copy-on-write backing store, the lxc_container_base_name can now include a prefix defined by
lxc_container_base_name_prefix
.
LXC on CentOS is now installed via package from a COPR repository rather than installed from the upstream source.
IPv6 support has been added for the LXC bridge network. This can be configured using
lxc_net6_address
,lxc_net6_netmask
, andlxc_net6_nat
.
The variable
lxc_cache_environment
has been added. This dictionary can be overridden by deployers to set HTTP proxy environment variables that will be applied to all lxc container download tasks.
The new provider network attribute
sriov_host_interfaces
is added to support SR-IOV network mappings inside Neutron. The provider_network adds new items network_sriov_mappings and network_sriov_mappings_list to the provider_networks dictionary. Multiple interfaces can be defined by comma separation.
The
dragonflow
plugin for neutron is now available. You can set theneutron_plugin_type
toml2.dragonflow
to utilize this code path. Thedragonflow
code path is currently experimental.
Neutron SR-IOV can now be optionally deployed and configured. For details about the what the service is and what it provides, see the SR-IOV Installation Guide for more information.
The
nova-placement
service is now configured by default.nova_placement_service_enabled
can be set toFalse
to disable thenova-placement
service.
The
nova-placement
api service will run as its own ansible groupnova_api_placement
.
Nova cell_v2 support has been added. The default cell is
cell1
which can be overridden by thenova_cell1_name
. Support for multiple cells is not yet available.
The copy of the
/etc/openstack-release
file is now optional. To disable the copy of the file, setopenstack_distrib_file
tono
.
The location of the
/etc/openstack-release
file placement can now be changed. Set the variableopenstack_distrib_file_path
to place it in a different path.
The os_keystone role now performs a rolling upgrade without downtime during installation. The process for rolling upgrades is documented here.
A new variable,
tempest_flavors
, has been added to the os_tempest role allowing users to define nova flavors to be during tempest testing.
CentOS7/RHEL support has been added to the os_aodh role.
CentOS7/RHEL support has been added to the os_ceilometer role.
CentOS7/RHEL support has been added to the os_designate role.
CentOS7/RHEL support has been added to the os_gnocchi role.
CentOS7/RHEL support has been added to the os_heat role.
CentOS7/RHEL support has been added to the os_horizon role.
CentOS7/RHEL support has been added to the os_neutron role.
CentOS7/RHEL support has been added to the os_nova role.
CentOS7/RHEL support has been added to the os_swift role.
The openstack-ansible-security role is now configured to apply the security configurations from the Red Hat Enterprise Linux 7 STIG to OpenStack-Ansible deployments.
The os_barbican role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting
barbican_package_state
topresent
.
The os_designate role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting
designate_package_state
topresent
.
The PATH environment variable that is configured on the remote system can now be set using the
openstack_host_environment_path
list variable.
Deployers can now define the varible
cinder_qos_specs
to create qos specs and assign those specs to desired cinder volume types.
RabbitMQ Server can now be installed from different methods: a deb file (default), from standard repository package and from external repository. Current behavior is unchanged. Please define
rabbitmq_install_method: distro
to use packages provided by your distribution orrabbitmq_install_method: external_repo
to use packages stored in an external repo. In the caseexternal_repo
is used, the process will install RabbitMQ from the packages hosted by packagecloud.io, as recommended by RabbitMQ.
The Red Hat Enterprise Linux (RHEL) 7 STIG content is now deployed by default. Deployers can continue using the RHEL 7 STIG content by setting the following Ansible variable:
stig_version: rhel6
The
swift_rsync_reverse_lookup
option has been added. This setting will handle whether rsync performs reverse lookups on client IP addresses, and will default toFalse
. We recommend leaving this option atFalse
, unless DNS or host entries exist for each swift host’s replication address.
The security-hardening playbook hosts target can now be filtered using the
security_host_group
var.
When using the pypy python interpreter you can configure the garbage collection (gc) settings for pypy. Set the minimum GC value using the
swift_pypy_gc_min
variable. GC will only happen when the memory size is above this value. Set the maximum GC value using theswift_pypy_gc_max
variable. This is the maximum memory heap size for pypy. Both variables are not defined by default, and will only be used if the values are defined andswift_pypy_enabled
is set toTrue
.
Swift tempauth users now be specified. The
swift_tempauth_users
variable can be defined as a list of tempauth users, and their permissions. You will still need to specify the appropriate Swift middleware using theswift_middleware_list
variable, in order to utilise tempauth.
Swift
versioned_writes
middleware is added to the pipeline by default. Additionally theallow_versioned_writes
settings in the middleware configuration is set toTrue
. This follows the Swift defaults, and enables the use of theX-History-Location
metadata Header.
Adds support for the horizon trove-ui dashboard. The dashboard will be automatically enabled if any trove hosts are defined.
The Trove dashboard is available in Horizon. Deployers can enable the panel by setting the following Ansible variable:
horizon_enable_trove_ui: True
The variable
trove_conductor_workers
can be configured for defining the number of workers for the trove conductor service. The default value is half the number of vCPUs available on the machine with a capping value of 16.
Added new variable
tempest_volume_backend_names
and updated templates/tempest.conf.j2 to pointbackend_names
at this variable
The
os_barbican
role now supports deployment on Ubuntu 16.04 using SystemD.
Known Issues¶
The variables
haproxy_keepalived_(internal|external)_cidr
now has a default set to169.254.(2|1).1/24
. This is to prevent Ansible undefined variable warnings. Deployers must set values for these variables for a working haproxy with keepalived environment when using more than one haproxy node.
Upgrade Notes¶
The global override
cinder_nfs_client
is replaced in favor of fully supporting multi backends configuration via the cinder_backends stanza.
The Designate pools.yaml file can now be generated via the designate_pools_yaml attribute, if desired. This ability is toggled by the designate_use_pools_yaml_attr attribute. In the future this behavior may become default and designate_pools_yaml may become a required variable.
The galera_client role now installs MariaDB client version 10.1.
For systems using the APT package manager, the sources file for the MariaDB repo now has a consistent name, ‘MariaDB.list’.
The galera_server role now installs MariaDB server version 10.1.
For systems using the APT package manager, the sources files for the MariaDB and Percona repos now have consistent names, ‘MariaDB.list’ and ‘Percona.list’.
The
galera_mariadb_apt_server_package
andgalera_mariadb_yum_server_package
variables have been renamed togalera_mariadb_server_package
.
The
galera_apt_repo_url
andgalera_yum_repo_url
variables have been renamed togalera_repo_url
.
The latest stable release of Ceph, Jewel, is now used as the default client version since Hammer was scheduled for EOL in November 2016.
The variables used to produce the
/etc/openstack-release
file have been changed in order to improve consistency in the name spacing according to their purpose.openstack_code_name
–>openstack_distrib_code_name
openstack_release
–>openstack_distrib_release
Note that the value for
openstack_distrib_release
will be taken from the variableopenstack_release
if it is set.
The variable
neutron_dhcp_domain
has been renamed toneutron_dns_domain
.
The nova-cert service has been deprecated, is marked for removal in the Ocata release, and will no longer be deployed by the os_nova role.
Installation of designate and its dependent pip packages will now only occur within a Python virtual environment. The
designate_venv_enabled
,designate_venv_bin
,designate_venv_etc_dir
anddesignate_non_venv_etc_dir
variables have been removed.
The os_barbican role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option
barbican_package_state
should be set topresent
.
The os_designate role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option
designate_package_state
should be set topresent
.
The security role will accept the currently installed version of a package rather than attempting to update it. This reduces unexpected changes on the system from subsequent runs of the security role. Deployers can still set
security_package_state
tolatest
to ensure that all packages installed by the security role are up to date.
The
glance
library has been removed from OpenStack-Ansible’s plugins. Upstream Ansible modules for managing OpenStack image resources should be used instead.
The variable
proxy_env_url
is now used by the apt-cacher-ng jinja2 template to set up an HTTP/HTTPS proxy if needed.
The gnocchi_archive_policies and gnocchi_archive_policy_rules variables never had full support in the role so were ineffective at the intended purpose. The task references to them have been removed and the library to perform gnocchi operations has also been removed. This eliminates the need for the gnocchi client to be installed outside the virtual environment as well.
The following secrets are no longer used by OpenStack-Ansible and can be removed from user_secrets.yml:
container_openstack_password
keystone_auth_admin_token
cinder_v2_service_password
nova_ec2_service_password
nova_v3_service_password
nova_v21_service_password
nova_s3_service_password
swift_container_mysql_password
The variables
tempest_requirements_git_repo
andtempest_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
horizon_requirements_git_repo
andhorizon_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
swift_requirements_git_repo
andswift_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
ironic_requirements_git_repo
andironic_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
neutron_requirements_git_repo
andneutron_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
heat_requirements_git_repo
andheat_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
magnum_requirements_git_repo
andmagnum_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
sahara_requirements_git_repo
andsahara_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
cinder_requirements_git_repo
andcinder_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
trove_requirements_git_repo
andtrove_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
gnocchi_requirements_git_repo
andgnocchi_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
glance_requirements_git_repo
andglance_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
keystone_requirements_git_repo
andkeystone_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
aodh_requirements_git_repo
andaodh_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
barbican_requirements_git_repo
andbarbican_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
nova_requirements_git_repo
andnova_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
nova_lxd_requirements_git_repo
andnova_lxd_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
rally_requirements_git_repo
andrally_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
The variables
ceilometer_requirements_git_repo
andceilometer_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.
Deployers should review the new RHEL 7 STIG variables in
defaults/main.yml
to provide custom configuration for the Ansible tasks.
The default behaviour of rsync, to perform reverse lookups, has been changed to
False
. This can be set toTrue
by setting theswift_rsync_reverse_lookup
variable toTrue
.
Functionality to support Ubuntu Trusty (14.04) has been removed from the code base.
Gnocchi service endpoint variables were not named correctly. Renamed variables to be consistent with other roles.
The variable
gnocchi_required_pip_packages
was incorrectly named and has been renamed tognocchi_requires_pip_packages
to match the standard across all roles.
The
cinder
project removed theshred
value for thevolume_clear
option. The default for theos_cinder
OpenStack-Ansible role has changed tozero
.
Deprecation Notes¶
The vars to set
source_sample_interval
for theos_ceilometer
role are deprecated and will be removed in the Queen cycle. To override these variables after Queen, utilize theceilometer_pipeline_yaml_overrides
file.
The
ceilometer_gnocci_resources_yaml_overrides
variable is deprecated and scheduled for removal in the Pike cycle. This is replaced with the correctly spelled variable, which should now be usedceilometer_gnocchi_resources_yaml_overrides
.
The
gnocchi_keystone_auth
is deprecated, and will be removed in theQueen
cycle. Settinggnocchi_auth_mode
tokeystone
will achieve the same result.
The Red Hat Enteprise Linux 6 STIG content has been deprecated. The tasks and variables for the RHEL 6 STIG will be removed in a future release.
Removed
tempest_volume_backend1_name
andtempest_volume_backend1_name
sincebackend1_name
andbackend2_name
were removed from tempest in commit 27905cc (merged 26/04/2016)
Bug Fixes¶
When a task fails while executing a playbook, the default behaviour for Ansible is to fail for that host without executing any notifiers. This can result in configuration changes being executed, but services not being restarted. OpenStack-Ansible now sets
ANSIBLE_FORCE_HANDLERS
toTrue
by default to ensure that all notified handlers attempt to execute before stopping the playbook execution.
LXC containers will now have the ability to use a fixed mac address on all network interfaces when the option lxc_container_fixed_mac is set true. This change will assist in resolving a long standing issue where network intensive services, such as neutron and rabbitmq, can enter a confused state for long periods of time and require rolling restarts or internal system resets to recover.
The ‘container_cidr’ key has been restored back to openstack_inventory.json The fix to remove deleted global override keys mistakenly deleted the ‘container_cidr’ key, as well. This was used by downstream consumers, and cannot be reconstructed with other information inside the inventory file. Regression tests were also added.
SSLv3 is now disabled in the haproxy daemon configuration by default.
Properly distrubute client keys to nova hypervisors when extra ceph clusters are being deployed.
Properly remove temporary files used to transfer ceph client keys from the deploy host and hypervisors.
Systems using systemd (like Ubuntu Xenial) were incorrectly limited to a low amount of open files. This was causing issues when restarting galera. A deployer can still define the maximum number of open files with the variable
galera_file_limits
(Defaults to 65536).
Metal hosts were being inserted into the
lxc_hosts
group, even if they had no containers (Bug 1660996). This is now corrected for newly configured hosts. In addition, any hosts that did not belong inlxc_hosts
will be removed on the next inventory run or playbook call.
Errors relating to groups containing both hosts and other groups as children now raise a more descriptive error. See inventory documentation for more details. Fixes bug
Setting the haproxy_bind list on a service is now used as an override to the other VIPs defined in the environment. Previously it was being treated as an append to the other VIPs so there was no path to override the VIP binds for a service. For example, haproxy_bind could be used to bind a service to the internal VIP only.
The haproxy daemon is now able to bind to any port on CentOS 7. The
haproxy_connect_any
SELinux boolean is now set toon
.
The percona repository stayed in placed even after a change of the variable
use_percona_upstream
. From now on, the percona repository will not be present unless the deployer decides touse_percona_upstream
. This also fixes a bug of the presence of this apt repository after an upgdrade from Mitaka.
The URL of NovaLink uses ‘ftp’ protocol to provision apt key. It causes apt_key module to fail to retrieve NovaLink gpg public key file. Therefore, change the protocol of URL to ‘http’. For more information, see bug 1637348.
The apt-cacher-ng daemon does not use the proxy server specified in environment variables. The proxy server specified in the
proxy_env_url
variable is now set inside the apt-cacher-ng configuration file.
Setup for the PowerVM driver was not properly configuring the system to support RMC configuration for client instances. This fix introduces an interface template for PowerVM that properly supports mixed IPV4/IPV6 deploys and adds documentation for PowerVM RMC. For more information see bug 1643988.
Other Notes¶
XtraBackup is currently on version 2.4.5 for ppc64le architecture when pulling deb packages from the repos.
XtraBackup is currently on version 2.4.5 for amd64 architecture when pulling rpm/deb packages from the repos. To pull the latest available 2.4 branch version from the yum/apt repository set the
use_percona_upstream
variable toTrue
. The default behavior using deb packages is unchanged.
From now on, external repo management (in use for RDO/UCA for example) will be done inside the pip-install role, not in the repo_build role.